HPCwire » FedRAMPhttp://www.hpcwire.com
Since 1986 - Covering the Fastest Computers in the World and the People Who Run ThemTue, 31 Mar 2015 19:48:35 +0000en-UShourly1http://wordpress.org/?v=4.1.1DOE Connects the Dots on Multi-Lab Cloud Strategyhttp://www.hpcwire.com/2012/12/10/doe_connects_the_dots_on_multi-lab_cloud_strategy/?utm_source=rss&utm_medium=rss&utm_campaign=doe_connects_the_dots_on_multi-lab_cloud_strategy
http://www.hpcwire.com/2012/12/10/doe_connects_the_dots_on_multi-lab_cloud_strategy/#commentsMon, 10 Dec 2012 08:00:00 +0000http://www.hpcwire.com/?p=8691For the first time it is now possible to access the cloud computing strategies of all 22 Department of Energy national laboratories and research organizations in one document.

]]>For the first time it is now possible to access the cloud computing strategies of all 22 Department of Energy national laboratories and research organizations in one document. The 53-page report provides an overview of the progress and future plans for each of the 22 centers.

The developments are an extension of the Cloud First mandate that came out of the Office of Management and Budget’s 25-point plan to reform federal information technology management. The plan, published Dec. 9, 2010, attributes a range of benefits to cloud computing, including better cost efficiency, greater flexibility and faster procurement times.

As the current document elucidates, a special challenge for these DOE agencies is security. Regardless of other possible cloud benefits, these labs cannot afford to skimp on cyber security practices. The authors point to analyst firm Gartner’s seven security considerations when moving to the cloud: privileged user access, regulatory compliance, data location, data segregation, recovery, investigative support, and long-term viability.

A proven method of reducing risk is to “approve once and use often.” This approach, which adds consistency to security controls and eliminates redundancies, was standardized by the OMB in December 2011, under the Federal Risk and Authorization Management Program (FedRAMP).

Earlier this year, the DOE in partnership with the National Nuclear Security Administration (NNSA) established the RightPath program to address network vulnerabilities by aligning the various departments’ IT strategies. Toward that end, the RightPath team is developing a secure cloud services brokerage technology called YOURcloud which will connect a federal customer base to a federated marketplace of cloud service providers (public, private and hybrid).

Each of the 22 institutions outlined have different types of cloud implementations in different stages of development, illustrating that there is no one-size-fits all model. However, the authors do draw several simple but important, conclusions.

1. Have a plan.

2. Address security concerns.

3. Share successes and missteps.

4. Remember cloud services are evolving.

“Understand the cloud and its risks and benefits,” the authors write. “As cloud computing continues to evolve, know that risks and benefits may change.”

]]>According to recent surveys conducted among enterprise professionals, security concerns have been a major roadblock in the path to cloud adoption. However, new developments show that users and certain government agencies have started warming to the idea of using cloud services to handle more sensitive data.

Take for example the General Service Administration’s (GSA) FedRAMP program, a collaborative effort aimed at increasing confidence in the security capabilities of cloud service providers. FedRAMP involves members from the National Institutes of Health, Department of Homeland Security, Department of Defense, National Security Agency, Office of Management and Budget along with the Federal CIO Council and private industry professionals.

One of the benefits of the program is the government’s ability to assess and certify the security practices of cloud service providers. This accomplishes a number of tasks.

1) Creates a uniform system for testing cloud service providers.

2) Increases transparency between providers and government agencies.

3) Generates more confidence in cloud providers that achieve certification.

This week Federal Times reported that since the FedRAMP program was launched, more than 50 cloud service providers applied to get their government stamp of approval. Unfortunately less than a handful will have the chance of receiving that recognition. GSA member Dave McClure expected to complete reviews for just three operators by January.

If any of those lucky providers do pass the security test, they will receive a provisional authority to operate (ATO). With an ATO in hand, these companies will be certified for use by the Department of Homeland Security, Department of Defense and General Services Administration. The ATO makes other agencies aware of a provider’s capabilities, which in turn, speeds up the process of adoption.

The system seems both rigorous and hopeful, but the devil is in the details. For example, a number of cloud providers have difficulty with certain federal security requirements. If an operator is to receive FedRAMP certification, they have to show that systems housing government data are accessed with two-factor authentication. Also, employees with access to government data have to undergo extensive background investigations. Seems like a lot of legwork to receive a shiny certification.

While the government works to bring cloud vendors up to speed with security, commercial outfits are coming up with some creative solutions to secure data in a public cloud environment. On Wednesday, the NASDAQ OMX group launched a service called FinQloud, powered by Amazon Web Services and aimed at the needs of financial services sector. The platform is hosted by Amazon and protected by a robust key encryption management system.